堆栈内存溢出
  简体   繁体   English

Kubernetes RBAC 限制用户只能在 kubernetes 仪表板上查看所需资源

[英]Kubernetes RBAC to restrict user to see only required resources on kubernetes dashboard

 原文  2018-11-02 23:27:31       kubernetes/ authorization/ kubectl/ rbac/ azure-aks

问题描述

Hi Everyone, I want to restrict my developers to be able to see only required resources on kubernetes dashboard(For example only their namespace not all the namespaces).大家好,我想限制我的开发人员只能在 kubernetes 仪表板上看到所需的资源(例如,只有他们的命名空间而不是所有的命名空间)。 Is possible to do that .有可能做到这一点。 If yes can someone point me to the right documents ?如果是,有人可以指出我正确的文件吗? Many Thanks非常感谢

I am using the below RBAC for the kube-system namespace.我将以下 RBAC 用于kube-system命名空间。 However the user is able to see all the namespaces on the dashboard rather than seeing only the namespaces he has access to.然而,用户能够在仪表板上看到所有命名空间,而不是只看到他有权访问的命名空间。

kind: Role     
apiVersion: rbac.authorization.k8s.io/v1       
metadata:     
  namespace: kube-system      
  name: dashboard-reader-role     
rules:      
- apiGroups: [""]     
  resources: ["service/proxy"]     
  verbs: ["get"]       

---       
apiVersion: rbac.authorization.k8s.io/v1      
kind: RoleBinding     
metadata:     
 name: dashboard-reader-ad-group-rolebinding      
 namespace: kube-system     
roleRef:     
 apiGroup: rbac.authorization.k8s.io       
 kind: Role   
 name: dashboard-reader-role   
subjects:      
- apiGroup: rbac.authorization.k8s.io  
  kind: Group  
  name: "****************"

1 个解决方案

解决方案1
 1  2018-11-03 00:21:16

please see the k8s rbac documentation:请参阅 k8s rbac 文档:

example: create a developer role in development namespace:示例:在 development 命名空间中创建开发人员角色:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  namespace: development
  name: developer
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["deployments", "replicasets", "pods"]
  verbs: ["list", "get", "watch"]
# You can use ["*"] for all verbs

then bind it:然后绑定它:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: developer-role-binding
  namespace: development
subjects:
- kind: User
  name: DevDan
  apiGroup: ""
roleRef:
  kind: Role
  name: developer
  apiGroup: ""

also , there is a built in view only role that u can bind to user:此外,还有一个内置的仅查看角色可以绑定到用户:

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

C02W84XMHTD5:~ iahmad$ kubectl get clusterroles --all-namespaces  | grep view
system:aggregate-to-view                                               17d
view                                                                   17d

but this is clusterwide view role , if you want them to see only the stuff in a specific namespace only then create a view role in that namespace and bind it , exmaple above.但这是集群范围的视图角色,如果您希望他们只看到特定命名空间中的内容,则仅在该命名空间中创建一个视图角色并绑定它,例如上面的示例。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 RBAC for kubernetes仪表板 - RBAC For kubernetes Dashboard 如何在 kubernetes 仪表板上将用户限制为一个命名空间? - How to restrict a user to one namespace on kubernetes Dashboard? Kubernetes RBAC默认用户 - Kubernetes RBAC default user 使用RBAC令牌访问kubernetes仪表板所需的用户权限 - user permissions needed for token access to kubernetes dashboard with RBAC 如何将 kubernetes 仪表板限制为分配给特定角色的用户的特定仪表板 - How to restrict kubernetes dashboard to a specific dashboard for a user assigned to a specific Role 默认用户的Kubernetes RBAC身份验证 - Kubernetes RBAC authentication for default user 如何在 kubernetes 仪表板中限制命名空间 - How to restrict namespace in kubernetes dashboard Kubernetes中存在哪些RBAC规则的apiGroup和资源? - What apiGroups and resources exist for RBAC rules in kubernetes? deletecollection kube.netes (tekton) 资源 - 需要特定的 RBAC? - deletecollection kubernetes (tekton) resources - specific RBAC needed? kubernetes仪表板挂在部署资源上 - kubernetes dashboard hangs on deploying resources
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM